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(54) Method and system for advanced role-based access control In distributed and centralized 
computer systems 



(57) A method and system for registration, authori- 
zation, and control of access rights In a computer system 
are disclosed In the present invention. The inventive 
method for controlling access rights of subjects (1) on 
objects (4) in a computer system uses parameterized 
role types (2) that can be Instantiated into role instances 
(4) equivalent to roles or groups as known from the prior 
art. The required parameters are provided by the subject 
(1) of the computer system, e.g. by a person (5), a job 
position (6) or an organization unit (7). Furthermore, the 
inventive method provides relative resource sets (8) 
which are instantiated into concrete resource sets (9) 



and individual resources (10) by using the same param- 
eter values as for instantiating the role types. 

The inventive system for authorization and control 
of access rights as disclosed in the present invention 
comprises capability lists (30) providing the access 
rights of the subjects (1 ) on the objects (4) of a computer 
system on a per-subject basis. Furthermore, the Inven- 
tive system comprises means for deriving (32) access 
control lists (31) from capability lists (30). wherein said 
access rights of the sut)jects (1 ) on the respective objects 
(4) are provided. 
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Description 

Technical Reld 

The present invention relates to the technical field 
of role-based access control methods and security sys- 
tems in distributed and centralized computer systems. 
More specifically, the invention relates to a method for 
controlling access rights of subjects on objects in a com- 
puter system by controlling said access rights dependent 
on a membership of a subject to a role. Furthernwre, the 
invention relates to a system for registration, authoriza- 
tion, and control of access rights of subjects on objects 
in a corrputer system, wherein the system comprises 
users, groups, and access control lists at each object 
providing the access rights on the respective object. 

Background Art 

In a computer system the accesses of users to data 
have to be controlled for security needs of the enterprise 
or organization using this computer system. The control 
of these accesses is performed by using access rights 
defining whether and how a user may access data in the 
computer system. This access control is performed by a 
security system which is integrated in or added to the 
operating system of the conputer system. This security 
system performs a specific method for controlling access 
rights. 

In wosX of the installed computer systems access 
rights are granted or revoked explicitly for individual 
users or group of users on respective data or. more gen- 
erally on respective objects by a system administrator. 
All access rights of all users on this object are forming 
an access control list (ACL) associated to this object. 
When an access request occurs during operation time 
of the computer system from a user or. more generally, 
from a subject to this object, then the security system 
looks at the access control list of the respective object 
and decides whether the subject may access this object 
in the requested manner. These broadly installed secu- 
rity systems allow a so-called "per-object-review" of 
access rights, that is. to determine the kind of access 
rights of all subjects of a conputer system to a respective 
object. 

Since it is very inconvenient for a system adminis- 
trator to provide each user with individual access rights, 
and for achieving a higher grade of data security and 
Integrity in a computer system, a Role-Based Access 
Control (RBAC) method has been developed. Therein, a 
role is mainly a definition of a job at the lowest level of 
granularity used in this enterprise or organization. In this 
role-based access control system the system adminis- 
trator only has to grant or revoke access rights to a role 
and has to group different subjects under this role. 

In RH, Lochovsky: "Role-Based security in Data 
Base Management systems" which is incorporated in 
C.E. Landwehr (editor): "Database Security: Status and 
Prospects". Elsevier Science Publishers B.V.. 1988. pp. 



209 • 222. the use of roles and objects in specifying a 
security mechanism for data base ntanagement systems 
is discussed. Using the idea that a user can play certain 
roles, authorization was specified using these roles. 

s In R.W. Baldwin: "Naming and Grouping Privileges 
to Simplify Security Management in Large Data Bases", 
Proceedings of IEEE Symposium on Security and Pri- 
vacy. Oakland, 1990, pp. 116 - 132, authorization and 
controlling access rights in large security systems in the 

10 field of data base objects are described. 

In D. Ferraiolo et al: "Role-Based Access Controls", 
Proceedings of the 5th National Conputer Security Con- 
ference, Oct. 1992. pp 554 - 563. which can be regarded 
as the closest prior art to the present invention, the role- 

is based access control method is described in detail. 
Access control decisions are often based on the roles 
individual users take on as part of an organization. A role 
specifies a set of transactions that a user or set of users 
can perform within the context of an organization. Role- 

20 based access control provides a means of naming and 
describing relationships between individuals and access 
rights, providing a method of meeting the secure 
processing needs of many commercial and civilian gov- 
ernment organizations. 

25 Concerning the method of controlling access rights 
in a computer system as known from the existing role- 
based access control methods it is disadvantageous that 
a large number of similar but not kJentical job positions 
in an organization requires a large number of roles. This 

30 large number of roles causes a high storage requirement 
for the security system within the computer system. Fur- 
thermore it is disadvantageous, that the large number of 
roles causes high computing requirements for the secu- 
rity system. Both aspects lead to high costs for the oper- 

35 ation of the security system. Furthermore, it is 
disadvantageous that the large number of roles makes 
it very diff icuK to manage the security system. The sys- 
tem administrator has to create a new role when a person 
remains in his job position but changes his location or 

40 project. This will cause higher costs or even less system 
security Furthermore, since a role includes the union of 
all accesses and objects which users off that role have in 
different organization units of the enterprise. This means 
that the role will not necessarily contain the least privi- 

45 leges necessary for the functions of that rde, i.e., a vio- 
lation of the "Least Privilege Principle". However, if one 
attempts to mitigate the lack of access granularity with 
defining different roles based on access and object con- 
texts, which may be possible in some designs, an admin- 

50 istrative mechanism becomes necessary to relate these 
roles so that their consistent administration, e.g.. update, 
becomes possible. Such a mechanisms is not available 
today. 

Concerning the access control system it is disadvan- 
55 tageous, that the existing role-based access control sys- 
teriis do not use the existing security mechanisms of the 
installed computer systems based on the existence of 
access control lists. Therefore, new security mecha- 
nisms or even a new security systems have to be imple- 
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merited on the existing computer system. This causes 
additional hardware and software development with 
related high costs. This is even more disadvantageous 
in distributed or large centralized computer systems. 
Existing standard access control mechanisms for distrib- 
uted systems asdescribed in "Introduction to OSF DCE". 
Open Software Foundation (OSF). 1991. allow scalabil- 
ity to very large distributed systems. To date no role- 
based access control method scalable to large distrib- 
uted systems exists. 

Obiectsofthe Invention 

It is an object of the invention to provide a method 
for controlling access rights that is scalable to very large 
distributed computer systems and requires less storage 
and oomputingperfomianceforthesecurity system. Fur- 
thermore, it is an object of the invention to provide a role- 
based method for controlling access rights that does not 
necessarily violate the 'Least Privilege Principle'' but at 
the same time is more flexible and more convenient for 
the system administration. 

Concerning the system for authorization and control 
of access rights it is an object of the invention to provide 
a system that can use the security system of installed 
computer systems based on access control lists. 

Summary Of the Invenfen 

The objects of the invention are fulfilled by the fea- 
tures of independent claims 1 and 13. Further arrange- 
ments of the invention are disclosed in the according 
dependent claims. 

A method and system for registration, authorization, 
and control of access rights in a computer system are 
disclosed in the present invention. The inventive method 
for controlling access rights of suk)jects on objects in a 
computer system uses parameterized role types that can 
be instantiated into role instances equivalent to roles as 
known from the prior art. The required parameters are 
provided by the subject of the computer system. The 
computer system may derive the parameters from the 
job position of a subject or its membership in an organi- 
zation unit. Furthermore, the inventive method provides 
relative resource sets which are instantiated into con- 
crete resource sets and individual resources by using the 
same parameter values as for instantiating of role types. 

The Inventive system for authorization and control 
of access rights as disclosed in the present invention 
comprises capability lists providing the access rights of 
the subjects on the objects of a computer system on a 
per-sut3ject basis. Furthermore, the inventive system 
comprises means for deriving access control lists from 
the capability lists, wherein the system provides said 
access rights of the subjects on the respective objects 
on a per-object basis. Within the inventive method, sub- 
jects are ail possible types of holders of access rights 
within said computer system as for exanple persons, job 
positions, role instances, users, and tran8action& Fur- 



thermore, objects are all possible types of resources on 
which access rights can be defined within the computer 
system as for example files, disks, displays, printers, 
scanners, and transactions. 

5 The invention as described in independent daim 1 
eliminates the disadvantages previously described for 
the prior art. A method for controlling access rights pro- 
viding role types that can be instantiated into role 
instances offors the possibility to design a security sys- 

10 tern for a computer system with very high flexibility. Since 
only a small number of role types has to be defined it is 
advantageous that less computing resources have to be 
provided for the security system within the computer sys- 
tem. Furthermore, it is advantageous that less adminis- 

15 tration activities caused by the definition of only a small 
number of role types requires less efforts, thus restricts 
the possibility and probability of errors and confusion and 
therefore provides a higher system security. Further- 
more, it is advantageous that by providing the appropri- 

20 ate parameter values the rote instances of a role type 
can be restricted in such a way that the "Least Privilege 
Principle" is satisfied. Furtiiermore, it is advantageous 
that the automated generation of role instances by 
instantiating role types offers higher security of ttie com- 

25 puter system and higher Integrity of the data withiri tiie 
computer system. 

A role type combines a set of functional tasks with 
a common generic set of competences. A role type can 
be viewed as a template for defining the types of access 

30 rights, objects, and transactions necessary to cany out 
a set of functional tasks. 

A role instance, on the other hand, defines the set 
of concrete and specific competences bound to a role 
type in a specific organization unit of the enterprise. An 

35 organization unit may be division, a department, a pro- 
gram, a project, a work-flow process or a combination 
tiiereof. 

In one embodiment of the invention as described in 
daim 2 tiie role type is parameterized and ttie rote 

40 instance is generated by using at least one parameter 
value. The use of a parameterized role type allows more 
flexibility of ttie security system and less administration 
activities. Furthernx)re, it is advantageous ttiat the use 
of parameterized role types requires less computing 

45 resources for tiie security system. 

In a further embodiment of the invention as 
described in claim 3 ttie objects of the computer systems 
are forming groups of concrete resource sets. Forming 
of such concrete resource sets is advantageous since it 

50 allows to address functional groups of resources or 
objects witti less computing efforts of ttie security system 
and less administrative overhead. 

In a furtiier embodiment of the invention as 
described in claim 4 the inventive method allows the 

55 automated derivation of tiie concrete resource sets from 
parameterized relative resource sets. This offers a 
higher flexibility of ttie security system witti less admin- 
istBtion efforts. Furttiermore. it is advantageous ttiat 
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less computing resources are required for the security 
system. 

In a further embodiment of the invention as 
described in daim 5, the inventive method provides the 
parameter value for instantiating the parameterized role 
types or the parameterized relative resource sets by the 
subjects of the computer system. This is advantageous 
since tfie derivation of role instances from role types or 
the derivation of concrete resource sets from relative 
resource sets can be fully automated and requires no 
administration efforts. This restricts the possibility and 
probability of en-ors and confusion and therefore pro- 
vides a higher system security. 

In a furtiier embodiment of the invention as 
described in claim 6 tiie parameter value is provided by 
the job position or by tiie organization unit. This is advan- 
tageous since it provides a very flexible security system 
that requires very littie administiBtion activity when a per- 
son as a user of the conrputer systems changes its job 
position or even the organization unit. This requires less 
efforts, thus restricts the possibility and probability of 
errors and confusion and therefore provides a higher 
system security. 

In a furtiier embodiment of tiie invention as 
described In daim 7 the job position is combined witii at 
least one role type. This is advantageous since it allows 
the deriving of role instances assodated with this role 
type by providing all necessary parameters for instanti- 
ating a role type with this job position. This allows auto- 
mated derivation of role instances witii no administration 
activity and therefore requires less efforts, tiius restricts 
the possibility and probability of errors and confusion and 
tiierefore provides a higher system security. 

In a further step of the invention as described in 
claim 8 tiie parameterized relative resource sets are 
associated with the role types. This is advantageous 
since it allows automated derivation of tiie concrete 
resource sets and objects by the same parameters as 
provided for the role types. This allows automated deri- 
vation of the concrete resource sets with no adminlsti'a- 
tfon activities and ttierefore requires less efforts, thus 
restricts tiie possibility and probability of errors and con- 
fusion and tiierefore provides a higher system security. 

In a further step of the invention as described in 
claim 9 tiie inventive method performs a configuration 
step for deriving the role instances and the concrete 
resource sets and objects. This automated configurating 
step is performed with each administration action and 
provides at any time the actual and valid role instances 
and concrete resource sets and objects. This is advan- 
tageous since it guarantees tiie efficiency of the security 
system and guarantees the security and integrity of data 
wittiin the computer system. 

In a furtiier embodiment of the invention as 
described in claim 10 the inventive method specifies 
capability list types assodated witii the role types and 
performs an automated configurating step for deriving 
capability lists associated with role instances. The capa- 
bility lists are instantiated from the capability list types by 



using the same parameters as for instantiating role types 
and these capability lists provide the access rights of tiie 
role instances on tiie objects within tiie computer sys- 
tem. The provision of capability lists within the security 
system of the computer system is advantageous, since 
it allows an automatic examination of the access rights 
of all subjects on all possibly objects within tiie computer 
system without any administration activities and there- 
fore requires less efforts, thus restricts the possibility and 
probability of errors and confusion and therefore pro- 
vides a higher system security. 

In a further embodiment of the invention as 
described in claim 1 1 tiie inventive method generates or 
modifies access control lists assodated witii the con- 
crete resource sets and objects. This is advantageous 
since It supports tiie security systems as known from the 
prior art and as used within a large number of installed 
computer systems with all information required from 
tiiese security systems. Therefore, the inventive method 
can be easily applied to tiie existing security systems 
witiiout difficult modification or even expensive new 
implementation of tiie security system. In the case of 
scalable existing security systems for large distributed 
environments this method guarantees scalability of tiie 
role-based access conb^oi mechanism as well. 

In a further entxxliment of the invention as 
described In claim 12 tiie role types are organized hier- 
archically This is advantageous since it allows the 
organization of role types by subsuming relations. There- 
fore, if a first role type subsumes a second role type ttien 
tiie set of access rights available to an instance of tiie 
f irst role type indudes tfiose available to a corresponding 
instance of the second role type. This allows a very easy 
control of access rights witii only little administration 
efforts. Furthermore, it is advantageous tiiat tiie hierar- 
chal organization of role types requires less computing 
resources of the security system. 

With the invention related to a computer system for 
authorization and control of access rights as described 
in independent claim 13, the disadvantages previously 
described for tiie prior art are eliminated. The registra- 
tion, authorization, and control system presented in this 
application offers tiie advantage tiiat access cont'd lists 
at the object as well as capability lists at the subjects are 
provided. This allows a fast review of tiie access rights 
of a subject on all possible objects witii only littie com- 
puting resources for the security system. Furthermore, 
it allows a quick review of all access rights of all possible 
subjects on a specific object with only littie computing 
resources for the security system. Furthermore, it is 
advantageous tiiat a system comprising access control 
lists at tiie object as well as capability lists at the subject 
may be applied to all computer systems installed in the 
field without any change or new implementation in the 
operating system of tiie installed computer systems. Fur- 
thermore, the simultaneous existence of access conf ol 
lists and capability lists offers high data security and 
integrity within tiie conputer system. This is even more 
advantageous for large disti'ibuted computer systems. 
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In a further embodiment of the invention as 
desaibed in daim 14 the Inventive system comprises 
means that derive the access control lists for the objects 
from the capability list at the subjects. The existence of 
this means is advantageous since it allows the automatic 
derivation of access control lists which are required from 
a large number of security systems of installed computer 
systems. Therefore, the inventive system can be easily 
applied to existing computer systems without any modi- 
fication of the security system of the installed conputer 
systems. Furthermore, it is advantageous that this 
means derives the access control lists automatically and 
therefore a high data security and integrity within the 
computer system can be guaranteed. Furthennore, 
since the underlying access control mechanisms of 
existing security systems are used for access control 
checks at operation time, the inventive system does not 
lead to performance penalties and is scalable to the 
same degree as the underlying system. 

In a further embodiment of the invention as 
described in claim 15 the inventive system comprises 
means for deriving the access control lists during a con- 
figuration step of the security system. This configurating 
step can be performed with or after each administration 
action. This means offers the advantage that the access 
control lists are actualized with each administration 
action and therefore guarantees high data security and 
integrity within the computer system. Furthermore, this 
means Is advantageous since it guarantees the data 
security and integrity with less conrputing resources for 
the security system and requires less efforts, thus 
restricts the possibility and probability of errors and con- 
fusion and therefore provides a higher system security. 

In a further embodiment as described in claim 1 6 the 
inventive system comprises means for deriving the capa- 
bility lists from a role-based access control system. The 
presence of this means allows the application of role- 
based access control systems as known from the prior 
art on security systems of computer systems as installed 
in thef ield in a large number. The inventive system allows 
advantageously the application of role-based access 
control systems without any nrx)dificatlon or even new 
Implementation on the installed security systems. TTiere- 
fore, role-based access control systems can be provided 
for existing computer systems with low cost and high 
security and integrity of the data within the computer sys- 
tem. 

In a further embodiment of the invention as 
described In daim 17 the inventive system comprises 
means for deriving and generating user accounts from 
the capability list. This is advantageous since it allows 
the automatic derivation and generation of user accounts 
on all computer systems that host objects occumng on 
the capability lists of subjects. This requires less efforts, 
thus restricts the possibility and probability of errors and 
confusion and therefore provides a higher system secu- 
rity. 



Brief Description of the Drawings 

Rg. 1 gives an overview of the method for control- 
ling access rights. 

5 

Rg. 2A gives an overview of role type instantiation. 

Rg. 2B shows an example for role type instantiation. 

10 Rg.2C Shows the example Of role type instantiation 
of Rg. 28 in more detail. 

Rg. 3A showstheaspectof roletypehierarchyofthe 
inventive method. 
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Rg. 38 shows an example of role type hierarchy for 
the business field of banking. 

Fig. 4 shows a mettiod of resource set definition. 

Rg. 5 gives an overview of the method for control- 
ling access rights on organizational level as 
on system level. 



25 Fig. 6 gives an ovennew of the system for authori- 
zation and control of access rights. 

Rg. 7 shows the possibility of a per-object-review 
as well as a per-subject-review as provided 
so by the inventive system. 

Description of a Preferred Ent)odiment 

An elaborated prefened method for contrdling 

35 access rights of subjects on objects in a computer sys- 
tem and a preferred embodiment of a system for autiior- 
izing and control of access rights according to the 
present inverrtion will be described with reference to the 
accompanying drawings. 

AO The Fig. 1 gives an overview of the method for con- 
trolling access rights. A set of subjects 1 as hoklers of 
access rights is defined and assodated to a set of role 
types 2. The role types 2 are instantiated into a set of 
role instances 3 and therefore assodates ttie subjects 1 

45 to tiie role instances 3. Multiple subjects 1 can be asso- 
dated with one role type 2. Also, a subject 1 can be asso- 
dated with more than one rde type 2. The instantiation 
of role types 2 into role instances 3 also determines ttie 
association between the role instances 3 and the objects 

so 4 of the computer system. Usually there will be multiple 
instances of one role type due to different parameter val- 
ues provided by different subjects. 

The Fig. 2A gives an overview for the metiiod of role 
type instantiation. Persons 5 that are users of an enter- 

55 prise computer system are employees acting in assigned 
job positions 6. Each job position 6 is associated with a 
set of functional tasks and, tiius. assodates these taste 
with a user in the enterprise organization hierarchy Each 
task requires a set of competences, which can be vi ewed 
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as a set of specific access rights to a set of objects 4 
necessary to carry out that task. Hence, each job posi- 
tion 6 ultimately associates a user with specific access 
rights to a set of objects 4. Thus, a security administrator 
must be able to associate these rights, objects, and 
transactions with the job positions of the enterprise 
organization. To enable this, the concepts of role types 
and role Instances are defined. 

The Fig. 2B shows job positions 6. role types 2, and 
the creation of role instances 3. The diagram shows an 
organization structure, e.g. organization units 7 and job 
positions 6. on the left and a set of role types 2 on the 
top of the matrix. An in a field of the matrix means 
that a role instance 3 of the corresponding role type 2 is 
assigned to the job position 6. The necessary parameter 
values to instantiate the role type 2 are derived from 
attributes of the individual job position 6 or a higher level 
organization unit. The values of these attributes deter- 
mine the actual competences the job position 6 is 
assigned via the role instance 3. Job positions 6 may 
share the same role Instance 3 as illustrated by the 
shaded fields in a column. 

A job position 6 is associated with one or more role 
Instances 3. depending upon how granular the job posi- 
tion 6 is intended to be. These role instances 3 are 
derived from different role types 2. For example, there 
are three role Instances associated with the job position 
"staff member 2" of "private loans", one derived from the 
role type "loan specialist", another one derived from 
"customer consultant", and one derived from "bank 
employee". 

Often similar job positions, such as "staff member 1 " 
and "staff member 2" of the "private loans" department, 
will be assigned to the same role instance as shown from 
the shaded fields In the matrix, because none of the 
attributes that are relevant for instantiating the role type 
differ between the job positions. However, different job 
positions 6 or similar job positions 6 in different organi- 
zation units 7 will usually be associated with different role 
instances 3 of the same role type 2. because they bring 
In different attribute values for the role type instantiation. 
In the above example the role type loan spedalisf Is 
instantiated in two different role instances that are bound 
to two different job positions of the department "object 
appraisal", the "team-leader and the "staff member 1" 
position. 

Job sharing can be modelled by assigning one job 
position 6 to multiple persons 5. On the other hand a sin- 
gle person 5 may be assigned to multiple job positions 
6. For example, a person 5 in a "staff member position 
in a department may also act, periiaps temporarily, as 
the "department manager". Of course, assignment to 
some job positions 6 may exclude assignment to other 
job positions 6 for separation-of-duty reasons. For exam- 
ple, a person 5 in the job position 6 "security administra- 
tor" may not be assigned to the job position 6 of "auditor 
because othenvise the accountability of the "security 
administrator's" actions would be lost. 



The Fig. 20 shows an exanple of the role type 
Instantiatton method in moredetail, especially fbrthe role 
instance in the framed matrix cell 15 of Fig. 2B. A role 
Instance 3 binds the relative conipetences defined by a 

5 role type 2 to the ol)jects 4, and access rights specific to 
an organization unit 7 or a job position 6. To peribrm this, 
at first fw each organization unit and fbr each job position 
6 a set of attributes has to be declared as relevant for 
role type instantiation. These attributes are said to be 

10 advertised. As an example, this could be the department 
identity or the location attribute of the department organ- 
Izatbn unit or the project Identity attribute of a job position 
6. Second, so-called relative resource sets 8 may be 
defined and associated with role types 2. A relative 

15 resource set 8 specifies the parameters it expects for 
Instantiation from among the advertised ones in the 
enterprise. For example, one could deline the relative 
resource set "printers" (printlocation) by enumerating the 
printers that are available to each location: 

20 printers (Boeblingen): = {p2160. p2240, ...} 
printers (Heidelberg): = {prtOI, prt02. ...) 
The l^rint kxation" parameter Is declared as referencing 
the advertised "location" attribute of a department. 
Thus, when a job position 6 as part of certain organ- 

25 ization units 7 is combined with a role type 2 associated 
with parameterized relative resource sets 8. the actual 
resources can be determined by instantiating the param- 
eters with the values of the advertised attributes fbr this 
job position 6. In the example of Fig. 20. if 

30 

1. private loans Is located In Heidelberg. 

2. the relative resource set 8 "printers (printlocation)" 
is associated with rote type 2 "band employee" with 
permission "use", and 

35 3. "staff member 1 " of the department "private loans" 
is assigned the role type 2 "bank employee". 

Then "staff member 1 " will have "use" access to the 
printers "prtOI, prt02, ...". 

40 Whether a new role instance 3 has to be created in 
this case depends on whether the "bank employee" role 
type 2 has already been Instantiated with the same 
parameters. If this is the case "staff member 1 " will only 
be assigned the already existing role instance 3 "bank 

45 employee (..., Heidelberg, ...)". 

Fig. 3A shows the role type hierarchy In the dis- 
closed inventive method. The access-control policy 
semantics captured by the specrficaton of role types 
reflect the functional partitioning and inclusion of generic 

50 access rights, resources, and transactions necessary to 
conduct the business activities and management of an 
enterprise. This partitioning and Inclusion is Intended to 
cover the data and application access relationships that 
are independent of the users job position 6 and organi- 

55 zation context, i.e. units 7, of the enterprise. The rest of 
the access-control semantics captured by role instances 
3 and job positions 6 reflect constraints placed by enter- 
prise policies, such as the need-to-know and separatlon- 
of-duty policies, on enterprise organization units 7. 
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A role type 2 is defined as a set of generic parame- 
ter-dependent resources and tfieir associated permis- 
sions or access rights. In a special case they may also 
contain conaete resources that do not depend on any 
parameters. Role types 2 can be organized hierarchically 
by a "subsumed" relation. If at irst role type 1 6 subsumes 
a second role type 1 7 then the set of access rights avail- 
aWe to an instance 18 of the first role type 16 includes 
those available to a corresponding instance 19 of the 
second role type 1 7. The expression "con'esponding" in 
this context means that both role types 1 6, 1 7 are instan- 
tiated with the same parameter values. The subsuming 
role type 16 must have at least the parameters of the 
subsumed role type 17. it may have more. 

The role type hierarchy defines in mathematical 
terms a lattice structure. Trivially, the top of the lattice can 
include all types of access rights to all objects 4. whereas 
the bottom can include the respective empty sets. Of 
course, lattices with non-trivial tops and bottoms can be 
defined. When instantiating a lattice of role types in a sys- 
tem, the top and bottom of the lattice need not be used 
for any specific role instance 3 and job position 6. 

It is the inplicit assumption which leads to the notion 
of the role type hierarchy that tiie sets of generic com- 
petences of job functions 6 and the role types 2 derived 
from them 

1 . can be sti-uctured as hierarchies by the subsumed 
relation, and 

2. do not change very f requentiy. 

The first assumption appears to be realistic because 
enterprise access control policies are often defined to 
reflect the hierarchical relationship built in an enterprise 
organization and functions. The second assumption also 
appears to be realistic because tiie job functions defined 
with an enterprise are stable since they are based on the 
enterprise business characteristics. Since the definition 
of job functions does not change very often, the sets of 
access rights to objects 4 needed lor a job position 6 are 
not expected to change very often. It is important, that 
neither assumption prevents the addition of new role 
types 2 to tiie lattice nor that of new role instances 3 and 
job positions 6 to an enterprise. 

The Fig. SB shows an example for the role type hier- 
archy within the inventive method of access control. The 
example shows a hierarchy of the role types 2 used in 
Rg. 2B. In tiiis example the access rights of a "second- 
line manager" and of a '^irst-line manager" subsume 
those of a "secretary" which intern subsume those of a 
"typist". All role types subsume tiie role type 'bank 
employee". As a consequ^ce "bank emptoyee" could 
be dropped from tiie matrix in Rg. 28 because ttie cor- 
responding competences are covered by a membership 
in any of tiie otiier role types. For ttie same reason tiie 
"team-leader" of the "object appraisal" departinentdoes 
not have to be assigned the "loan specialist" role explic- 
itiy since his leam-leader" role type subsumes it 



The Rg. 4 shows the instantiation of concrete 
resource sets 9 and individual resources 1 0 from param- 
eterized relative resource sets 8. The parameterized rel- 
ative resource sets 8 are associated to tiie 

5 parameterized role types 2. The concrete resource sets 
9 are derived from the parameterized relative resource 
sets 8 by using the parameter values provided from tiie 
subjects 6. 7 In the computer systems, e.g. provided from 
tiie job positions 6 and organization units 7 of tiie enter- 
to prise. The Individual resources 10 are grouped to con- 
crete resource sets 9. For example one possible 
parameterized relative resource set 8 is the resource set 
of "printers" with a parameter "printiocation". By provid- 
ing the location parameter, for exanple location Heidel- 

15 berg, the relative resource set 8 is Instantiated Into ttie 
concrete resource set 9 that includes all printers at tiie 
location Heidelberg. These printers at the location Hei- 
delberg represent tiie individual resources 10. 

The Rg. 5 shows an overview of tiie metiiod for con- 

20 trolling access rights for the organizational level 20 as 
well as for tiie system level 21. It Is shown tiiat on the 
system level 21 persons 5 are represented as users 22, 
wherein one person 5 may have multiple user Identifica- 
tions, which may be derived from tiie role information and 

25 automatically generated (automatic registration) in tiie 
same way as the access rights are derived (automatic 
authorization). Furttierniore, it is shown tiiat the role 
instances 3 on the organization level 20 are represented 
by groups 23 on the system level. FurthernrK)re. the con- 

30 aete resource sets 9 are represented by tiie individual 
resources 10 on ttie system level 21. 

The Rg. 6 shows a preferred embodiment of a sys- 
tem for authorization and control of access rights as dis- 
closed in the present invention. It is shown tiiat capability 

35 lists 30 associated to the subjects 1 of the computer sys- 
tem and containing the access rights of ttie respective 
subject 1 on the objects 4 of ttie computer system can 
be derived by appropriate means 32 into access conf ot 
lists 31 associated to tiie objects 4 of the computer sys- 

40 tem and containing the access rights of the subjects 1 of 
tiie computer system on ttie respective object 4. Theder- 
Ivation means 32 can be implemented by hardware or by 
software. Furtiiermore. it is also possible to derive capa- 
bility lists 30 from existing access control lists 31 . 

45 The Fig. 7 shows the possibility to perform a per- 
object review 40 with tiie inventive system for autiioriza- 
tion and control of access rights. In this example the 
access rights may be an execute permission "X", a read 
permission "R" or a write permission "W". Since the 

50 inventive control system provides access control lists 3 1 
associated witti ttie objects 4 of ttie computer system it 
Is possible to evaluate tiiese access control lists 31 in 
order to determine all access rights of groups 23 witiiin 
tiie computer system on tiie respective object 4. The 

55 group 23 is the representation of an instance, i.e. a role 
instance 3, of a parameterized role type 2. The role type 
2 is instantiated by at least one parameter value provided 
by ttie job position 6. The person 5 assigned to this job 
position 6 has at least one user identification. 
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As also shown in Fig. 7, the inventive system for 
authorization and control of access rights as disclosed 
in the present invention offers the possibility to perform 
a per-subject review 41. The job position 6 to which a 
person 5 is assigned to is associated with a role. Asso- $ 
dated to this role are the access rights of that role on the 
objects 4 of the computer system. The inventive system 
comprises capability lists 30 containing these access 
rights for each role. Furthernx)re, the system comprises 
deriving means 32 to generate new or nxxlify existing ;o 
access control lists 31 from the capability lists 30. 

Claims 

1 . A method for controlling access rights of at least one is 
subject (1) on at least one object (4) in a computer 
system, wherein said subject (1) is associated to at 
least one role, said method comprising the step of: 
controlling said access rights dependent on a mem- 
bership of said subject (1) to said role, 20 
characterized in that a role type (2) is provided and 
said role is represented as a role instance (3) and 
said method further comprising the prior step of: 
instantiating said role type (2) into said role instance 

(3). that is. deriving said role instance (3) from said 2s 
role type (2). 

2. The method according to claim 1 . wherein at least 
one parameter value is provided and said role type 

(2) is a parameterized role type (2). said method fur- 30 
ther comprising the step of: 
instantiating said parameterized role type (2) by 
using said parameter value. 

3. The method according to claim 1 or 2, wherein at 35 
least one concrete resource set (9) is provided, said 
method further comprising the step of: 

providing said object (4) as an element of at least 
one of said concrete resource sets (9). 

40 

4. The method according to claim 3. wherein at least 
one parameter value is provided and at least one 
parameterized relative resource set (8) is provided, 
said method further comprising the step of: 
instantiating said parameterized relative resource 45 
set (8) into said concrete resource set (9) by using 
said parameter value, that is. deriving said concrete 
resource set (9) from said parameterized relative 
resource set (8) by using said parameter value. 

so 

5. The method according to one of claims 2 to 4. further 
comprising the step of: 

providing said parameter value by said subject (1). 

6. TTie method according to claim 5, wherein a job posi- 55 
tion (6) within an organization unit (7) of the organi- 
zation of said subject (1) is provided, said method 
further comprising the step of: 



providing said parameter value by said job position 
(6) or by said organization unit (7). 

7. The method of claim 6. further comprising the step 
of: 

combining said job position (6) with at least one of 
said role types (2). 

8. The method of one of claims 4 to 7, further compris- 
ing the step of: 

associating at least one of said parameterized rela- 
tive resource sets (8) with said role types (2). 

9. The method of one of claims 3 to 8, further compris- 
ing the step of: 

performing a configurating step for deriving said role 
instances (3) and for deriving said concrete resource 
sets (9) and objects (4). 

10. The method of one of claims 3 to 9. further compris- 
ing the steps of: 

specifying capability list types associated with said 
role types (2), and 

performing a configurating step for deriving a capa- 
bility list (30) associated with a corresponding role 
instance (3) from said capability list types, said capa- 
bility list (30) provides said access rights of said role 
instance (3) on said objects (4). 

11 . The method of claim 9 or 1 0. further comprising the 
step of: 

generating or modifying access control lists (31) 
associated with said concrete resource sets (9) and 
objects (4). said access control lists (31) provide 
said access rights of said subjects (1) on said object 
(4). 

12. The method of one of claims 1 to 1 1, wherein 
said rote types (2) are organized hierarchically. 

13. A computer system for registration, authorization, 
and control of access rights of at least one subject 
(1) on at least one object (4), 

said system comprises access control lists (31) at 
each object (4), said access control lists (31) provide 
said access rights of said subjects (1) on said object 
(4). 

characterized in that, said system further comprises: 
capability lists (30) associated with said subject (1), 
said capability lists (30) provide said access rights 
of said subject (1) on said objects (4). 

14. The system accorcfing to claim 13. further compris- 
ing: 

means for deriving (32) said access control lists (31) 
at said objects (4) from said capability lists (30) asso- 
ciated with said subjects (1). 
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15. The system according to daim 13or 14. further conv 
prising: 

means for deriving (32) said access control lists (31) 
during a configurating step of said system. 

5 

16. The system according to one of claims 13 to 15. fur- 
ther comprising: 

means for deriving (32) said capability lists (30) from 
a role based access control system. 

10 

17. The system according to one of claims 13 to 16, fur- 
ther comprising means for deriving and generating 
necessary user accounts from said capability lists 
(30). in particular from the locations of objects (4) in 
said capability lists (30). is 
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